How to change the default ports on the vCenter Server Appliance in vSphere 6.0?

When deploying the vCenter Server Appliance (VCSA), there are a set default network ports that are already pre-defined by VMware. It is generally recommended to stick with these defaults unless you have a really good reason to modify them. I am a big fan of strong defaults which can help reduce the number of steps it takes to deploy the VCSA, however I do understand that there are some organizations who may have specific security requirements which requires them to change some of the default ports. It is also important to note that changing the default network ports post-installation is not supported.

Disclaimer: This is not officially supported by VMware, please use at your own risk.

If you deploy the VCSA using the new Guided UI installer, you will not be able to modify the default network ports. However, if you deploy using the new Scripted CLI installer, you do have the option of overriding some of the default ports. Below is a table of the ports that can be modified which includes the variable name, default port number and their port usage which is described in the vSphere 6.0 documentation here. The variable port names are required in the JSON configuration file if you decide to modify from the default.

Variable Name

Port

Port Usage

rhttpproxy.ext.port1

80

HTTP Reverse Proxy Port

rhttpproxy.ext.port2

443

HTTPs Reverse Proxy Port

syslog.ext.port

514

Syslog Service Port

vpxd.ext.port1

902

ESXi Heartbeat port

syslog.ext.tls.port

1514

Syslog Service TLS port

netdumper.ext.serviceport

6500

ESXi Dump Collector port

autodeploy.ext.serviceport

6501

Auto Deploy Service port

autodeploy.ext.managementport

6502

Auto Deploy Management port

sts.ext.port1

7444

Secure Token Service port

vsphere-client.ext.port1

9443

vSphere Web Client port

Under the "Networking" section of the JSON configuration file, there is a "Ports" field which accepts a JSON encoded string of the ports you wish to modify. It actually took me a bit of time to figure out the exact syntax as this was not clearly documented anywhere. Lets say we wish to change the default HTTPS Reverse Proxy from 443 to 13443 and PSC's STS port from 7444 to 7441, you will need to specify it as shown in the example below. The key is properly escape the inner-double quotations since ports accepts a single string input.

If everything was successful, when you connect to the VCSA, you should see that we no longer use the default port of 443 to connect to the vCenter Server as you can see from the screenshot below.

If you ever wonder what ports were selected for either a vCenter Server or Platform Services Controller, you can easily find that by following the instructions in this article.

For customers using the Windows version of vCenter Server, you do have the option of modifying the default ports using the Guided UI since there is no guarantee these ports are not in use as VMware does not control the underlying OS. You can also use the Windows Scripted CLI to modify the default ports which you can find more information here.

For 6.0 you can change the webconsole port in VCSA in:
/etc/vmware/vsphere-client/webclient.properties

Add this line:

html.console.port = 8081

Then make sure to open the firewall to this port. I’m not certain if the firewall rules in the vcenter application will work, but they should. Alternatively that file suggests a generic iptables rule:

sudo iptables -A INPUT -p tcp –dport -j ACCEPT

I’m wary about the iptables route above because typically these will not be static and will be erased on reboot unless you do an iptables-save, but I don’t know 100% how iptables works on the VCSA appliance – VMWare likes to heavily customize it’s os and packages.

Primary Sidebar

Search this website

Author

William Lam is a Staff Solutions Architect working in the VMware Cloud on AWS team within the Cloud Platform Business Unit (CPBU) at VMware. He focuses on Automation, Integration and Operation of the VMware Software Defined Datacenter (SDDC).